The CyberWire Daily Briefing for 12.28.2012
The Nvidia Display Driver Service is found vulnerable to a stack buffer overflow that could enable an attacker to gain administrative control of Windows machines. A WordPress misconfiguration opens bloggers' password hashes and other information to compromise.
Two banking threats concern US financial institutions: Trojan.Stabuniq continues to spread, and the Comptroller of the Currency warns banks to expect denial-of-service attacks, and to prepare themselves appropriately. In Australia, ransomware proliferates, aided by a black market in "how-to" kits. A New York state audit of public school IT systems finds them startlingly vulnerable to many forms of hacking.
As we enter the year's last weekend, 2012 trend and 2013 forecast stories dominate the cyber news. Among the more interesting predictions (by McAfee) are less Anonymous-style hacktivism (replaced by "patriotic" hacking) and more crimeware-as-a-service. Discovery looks at Kaspersky's 2012 predictions and finds that they held up fairly well.
The US approaches its Federal fiscal cliff, and large defense contractors expect and prepare for the worst.
Dark Reading offers an apparently contrarian take on cyber defense-in-depth: it doesn't work, say experts. Further reading reveals a more familiar message: mere accretion of ad hoc security products and policies doesn't work. Instead, effective defense-in-depth should be designed as a comprehensive architecture with due attention to a particular enterprise's goals and needs.
As expected, China tightens access to the Internet. The US Senate's draft Intelligence Authorization Act contains provisions directed against Chinese IT vendors. The Department of Justice is investigating HP's acquisition of Autonomy for possible fraud.
Notes.
Today's issue includes events affecting Australia, Bulgaria, China, Iran, Israel, Japan, Republic of Korea, Malaysia, Philippines, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Cyber Attack on Iran a False Alarm (Discovery News) On Tuesday of this week, the Iranian Students' News Agency (in Farsi) reported that a "Stuxnet-like" computer virus had appeared again, this time infecting systems an Iranian power plant instead of a nucelar power facility. The story also said the
Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines (Threatpost) There's nothing like a zero-day to ruin the holiday break, but that's just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker
WordPress W3 Total Cache Misconfiguration Leaves Some Blogs Vulnerable (Threatpost) An apparent misconfiguration exists in W3 Total Cache (W3TC), a popular plugin for the WordPress blogging platform, that could allow an attacker to browse and download password hashes and other database information. W3 Total Cache (W3TC) is a framework for Wordpress that helps speed up blogs by caching content
Regulator Warns Banks About DDoS Attacks, Encourages Information Sharing (Threatpost) In an alert issued by the Office of the Comptroller of the Currency (OCC), Deputy Comptroller for Operational Risk Carolyn G. DuChene warned financial and other critical institutions about the wave of ongoing distributed denial of service (DDoS) attacks targeting their networks. DuChene is urging the banks in particular to share data about the attacks with one another and reiterated the OCC's expectation that banks have risk management plans designed to mitigate such attacks in place ahead of time
Beware Trojan.Stabuniq, a new malware targeting American banks (Digital Trends) Symantec has released information about new malware it has discovered that appears to be targeting American banks and credit unions. Is it time to be scared yet? Add Trojan
It's 3pm 2 days after Christmas, do you know where your unmanaged SSH keys are? (Internet Storm Center) An article that may have gone overlooked since it was published on Christmas by the Washington Times highlights the risks of SSH (or really any public key encryption) when you don't manage the keys and permissions those keys get you. The article interviews Tatu Ylonen who invented SSH in 1995. In essence, the problem isn't the technology but the management of the technology where those who deploy keys simply don't manage them. The private keys are both in predictable locations and easily recognizable (i.e. begins with "-----BEGIN RSA PRIVATE KEY-----") if you have the correct permissions on the machine
'How to' kits help hackers hold Queenslanders ransom (ABC) Ransom-style online attacks, where hackers lock up computers and demand money to release information, are rising at an alarming rate in Queensland
Facebook Privacy Control Padlock Icon Subject of Viral Hoax (Softpedia) Unfortunately, the padlock has become the subject of a viral hoax. Hackers alert. Attention!!!!!
Bug reveals 'deleted' Snapchat videos (BBC) Videos sent via smartphone app Snapchat - which should disappear after a few seconds - can be preserved with easy to find tools. Snapchat has proved popular as it deletes sensitive or risque photos and videos after a short delay
Verizon 3M Data Leak, Who, When and Why (Cyberwarnews) A few days ago the media went wild with reports that 3 million Verizon WiFi accounts had been accessed and leaked, well this was very falsely reported in many ways. First lets start with TibitXimer who has since either closed down or changed names of the twitter account, they claimed they had hacked Verizon and obtained this data on the some time around the 22nd and had contacted ZDNet to give an exclusive. Since then i have been contacted by a hacker who i followed closely this year (c0mrade) while they were doing some very high profile attacks and caused a lot of controversy that made many headlines throughout the cyber security world
Inadequate security of personal, private, and sensitive Information in school districts mobile computing devices (Data Breaches) I've often pointed out my concerns that public schools at least those in New York that Ive been in do not seem to have adequate security in place for the vast troves of sensitive and confidential information they collect and retain. So I was unsurprised to read that a recent Office of the State Comptroller audit of 12 public school districts found the majority lacked adequate security for personal, private, and sensitive information (PPSI) on Mobile Computing Devices (MCDs). The audit results were released on December 14, and cover the period from January 1, 2010, to May 4, 2012
Cyber Trends
Does Security Stall Technology Adoption? - Analyzing IBM's 2012 Tech Trends Report (Healthcare Infomation Security) IBM's Dan Hauenstein, in analyzing Big Blue's 2012 Tech Trends Report, says security concerns often inhibit the adoption of four technologies: mobile, cloud, social business media and business analytics."Security, far and away, is the top barrier to adoption when you look across these four spaces," says Hauenstein, IBM's Software Group's academic initiative strategy manager. Concerns about security for mobile technology, more than any other technology, weighed most on the minds of the more than 1,200 technology decision-makers IBM surveyed for the report. Sixty-one percent of respondents cited mobile security as a barrier to the adoption of the technology, and that has significant consequences, Hauenstein says: "We see this as a real threat to innovation and really to economic growth in these spaces
Most unique viruses of 2012 (Help Net Security) PandaLabs outlined its picks for the most unique viruses of the past year. Rather than a ranking of the most widespread viruses, or those that have caused most infections, these viruses are ones
Trends in mobile ransomware, large-scale attacks and hacktivism (Help Net Security) McAfee today released its annual 2013 Threat Predictions report, highlighting the top threats McAfee Labs foresees for 2013. In the coming year, McAfee Labs expects that threats to mobile devices
Were 2012 Cybersecurity Predictions Right? (Discovery) December is "prediction season" in the cybersecurity industry. Every major anti-virus software maker and digital-security provider issues its own forecasts of what computer users face in the coming year. So far this month, the predictions for 2013 look a lot like those for 2012: more Android malware, increased cyberattacks by nation-states and greater activity by "hacktivist" groups such as Anonymous.
BYOD challenges for large organizations (Help Net Security) Alexander Havang is the CTO at Procera Networks and in this interview explains enterprise challenges with BYOD. BYOD is one of the biggest buzzwords in recent years. In reality, how big of a challe
Marketplace
Cliff Talks Down To The Wire (Wall Street Journal) At best, leaders are looking at a narrow bill that could be passed at the last minute. At the meeting Friday, Mr. Obama will outline the elements he thinks should be in a deal and could get majority support in both chambers of Congress, according to a person familiar with the matter. He won't put forward a specific bill or legislative language, the person added
Why the spending cuts in the fiscal cliff won't solve America's fiscal problems (Quartz) The path to the US fiscal cliff has been a long one, and most of the coverage of it has been about raising taxes. While that's largely because taxes are such a political sticking point, it's also because the magnitude of tax increases scheduled for 2013 if America goes over the cliff--more than $500 billion, depending on how you slice it--far outstrips the $110 billion in scheduled spending cuts
Zacks Industry Outlook Highlights: Lockheed Martin, Boeing, General Dynamics, Raytheon and Northrop Grumman (Sacramento Bee) The big defense operators armed with strong balance sheets are expanding their operations inorganically through acquisitions. The U.S. Defense department also endorses mergers among U.S. defense companies, provided they don't involve the top five or six suppliers acquiring each other. For that matter, the industry encourages acquisitions as the highest-priority investment area for a company with a sizeable cash balance looking for growth amid significant defense budget cuts
Defense Industry Pessimistic about 'Cliff' Deal as Pentagon Plans for Cuts (Executive Gov) Officials from President Obama's administration have given the Pentagon the green light to begin planning for $500 million in budget cuts set to take place as a result of sequestration. According to The Hill, the defense industry is showing pessimism as negotiations between Speaker John Boehner and Obama on a potential deal came to an end last Thursday
Lockheed Announces Winners of a Cybersecurity, Healthcare Innovation Contest (The New New Internet) Lockheed Martin has announced the five winners of the "Innovate the Future" contest, according to a Smart Group article. Entries from 130 countries were assessed in the contest which focused on solutions for cybersecurity, healthcare, and renewable energy
Cisco Completes $1.2B Acquisition of Cloud Networking Firm Meraki (Govconwire) Cisco (NASDAQ: CSCO) has completed its purchase of cloud networking company Meraki Inc. for approximately $1.2 billion in cash, according to a Cisco statement. (Click Here, to read the original story by GovCon Wire of the Cisco acquisition.) According to the San Jose, Calif.-based company, the Meraki team will be integrated into Cisco's cloud networking group
The top six business of technology stories of 2012 (Why six? Why not!) (Ars Technica) Facebook went public, Bitcoin went mainstream, and Google Fiber launched in KCK
Products, Services, and Solutions
Email, Content Security Appliance targets SMBs (Thomas Net) WatchGuard Technologies, a global leader in manageable business security solutions, today announced the availability of its enhanced Extensible Content Security (XCS) solutions for small and mid-sized businesses (SMBs). The XCS 280 and XCS 580 models offer improved value for customers. The XCS 580 and XCS 280 provide the same trusted content protection with performance improvements up to 50 percent at a more affordable price point than prior models
Windows RT ported to HTC HD2 (Slashgear) Weve seen the HTC HD2 running essentially every mobile operating system from its birth till now, but nothing could have prepared us for this: hackers have ported in Windows RT! This operating system is meant to be a sort of half-way point between full-on desktop mode and mobile for the Windows tablet universe hoping to join in on the Windows 8 fun its creators certainly never intended it to be worked with on a smartphone. But there it is, on the HTC HD2, no less, the most-hacked smartphone of all time, without a doubt
Technologies, Techniques, and Standards
How To Get Your MSSP In Line With Expectations (Dark Reading) Managed security service providers can help your organization save time and money -- if you know the right way to work with them
Is Vulnerability Management Broken? (Dark Reading) Some argue that it is time to rethink the vulnerability management hamster wheel
Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies (Dark Reading) As attacks become more sophisticated and breaches abound, it's time for enterprises to change their cybersecurity thinking from the ground up, experts say
Better Integrate IT Risk Management With Enterprise Risk Activities (Dark Reading) Not only will IT security risks be given greater attention, risk management could affect better business performance as a result
What is a Threat? - Defining Term Seen as Helping to Safeguard Privacy (Healthcare Infomation Security) What is a threat? The answer seems obvious, especially in the context of IT security and information risk. Yet, is it, especially when developing codes and standards, as well as funding research and development initiatives that involve taxpayer money?
Academia
Colleges help students scrub online footprints (Yahoo) Samantha Grossman wasn't always thrilled with the impression that emerged when people Googled her name."It wasn't anything too horrible," she said. "I just have a common name. There would be pictures, college partying pictures, that weren't of me, things I wouldn't want associated with me."So before she graduated from Syracuse University last spring, the school provided her with a tool that allowed her to put her best Web foot forward
Legislation, Policy, and Regulation
China Toughens Its Restrictions on Use of the Internet (New York Times) The Chinese government issued new rules on Friday requiring Internet users to provide their real names to service providers, while assigning Internet companies greater responsibility for deleting forbidden postings and reporting them to the
Senate Finally Holds Weak 'Debate' On FISA Amendments Act…But Terrorism! (Techdirt) While some in the Senate tried to skip over debate of the likely unconstitutional FISA Amendments Act, the Senate finally held a rushed and scripted "debate" today, which did very little to actually explore the issues (and the Senate Chamber was mostly empty during the "debate"). Senators Ron Wyden and Jeff Merkley did their best to raise significant issues, but Senator Dianne Feinstein kept shutting them down with bogus or misleading arguments, almost always punctuated with scary claims about how we had "only four days!" to renew the FISA Amendment Acts or "important" tools for law enforcement would "expire." It turns out that's not actually true. While the law would expire, the provisions sweeping orders already issued would remain in place for a year -- allowing plenty of time for a real debate
S 3454 Amendments - Intelligence Authorization Act (Chemical facility Security News) There is an interesting note on the House BillsThisWeek website about the possible consideration of S 3454, The Intelligence Authorization Act for FY 2013. Typically Senate bills are listed on this site only after they have passed in the Senate and are ready for consideration by the House. This bill, however, has not even begun consideration in the Senate, though it has been on the Senate Calendar since July
Litigation, Investigation, and Law Enforcement
HP Confirms Federal Investigation Of Autonomy's Alleged Fraud In Its Annual Report (TechCrunch) HP has confirmed that the U.S. Department of Justice launched an investigation stemming from the Palo Alto company's allegations that it uncovered widespread accounting fraud at Autonomy, the British software maker it acquired for $11 billion last year. HP confirmed the investigation in its annual report filed Thursday with the U.S. Securities and Exchange Commission, though it offered no further
Apple's $160K Copyright Fine In China Is A Pittance, But Could It Open The Door For Further Claims? (TechCrunch) China is not exactly known for having a watertight regime when it comes to piracy and copyright violations, but it's trying to change that perception, and here's a case in point: a group of eight authors, calling themselves the China Written Works Copyright Society, has won a case against Apple in Beijing for hosting apps that were in themselves violating the copyright on their works
Beyond SOPA: the top nine tech policy stories of 2012 (Ars Technica) Smartphone patent wars, porn trolls, and Kim Dotcom made 2012 a banner year
Postal Worker Arrested For Identify Theft (Menlo Park Atherton) A U.S. Postal Service mail carrier accused of stealing thousands of pieces of mail to provide credit cards to friends has pleaded not guilty to several charges and is expected to return to court on Thursday, San Mateo County prosecutors said. Romeo Maniulit Natan, 38, pleaded not guilty on Friday to multiple counts of identity theft, possession of stolen property and second-degree burglary, according to the district attorney's office. Natan allegedly stole thousands of pieces of mail and passed out credit cards from the stolen mail to friends in the northern part of the county, prosecutors said
Korea's super-hacker tracked down in Philippines (Korea Joongang Daily) The end of the line for a famed fugitive Korean hacker surnamed Shin came in mid-December, when police in the Philippines found him in Batangas Province, led to him by the earlier arrest of one of his accomplices. Shin, 39, who became famous for hacking the servers of Hyundai Capital in the first half of 2011, was repatriated to Korea Dec. 14 and is being investigated for hacking His history is virtually the history of hacking corporations for fun and profit in Korea Shin originally wanted to become a pop singer, and started to learn about computer hacking as a hobby starting in 2000. He Obtained knowledge by chatting on the Internet with hackers abroad and studying computer books In 2005, the hobby became his job
Nigerian gets jail and rotan for online scam (The Star) A Nigerian student was jailed 12 months and ordered to be caned twice by a magistrates court here for misappropriating RM7,500 from a woman in an online banking scam. Okoh Victor, 34, whose last address was in Kepong, Selangor, admitted misusing the money belonging to Chuah Bee Hwa, 53, on Jan 22 and 23 last year at a bank in Cantonment Road, Pulau Tikus. He was charged with committing the offence under Section 403 of the Penal Code which carries a jail term of not more than five years, whipping and a fine
That'll show those ATM fraudsters (ATM Marketplace) If the case of Leonid Rotaru was intended to set a precedent for British courts, British banks should be very afraid. In a recent court hearing, Rotaru, 32, a Bulgarian national living in the U.K., confessed to skimming data and PIN numbers from 9,000 ATM cards on behalf of a Bulgarian gang operating out of London. He admitted to possession of professionally made skimming devices
Exporting lethal surveillance tech: UK asked to investigate spyware firm (RT) Privacy rights activists are calling on HM Revenue and Customs (HMRC) to investigate spyware firm Gamma International and its exports of surveillance software to repressive regimes, such as Bahrain, calling the transactions criminal and illegal. The campaign group Privacy International (PI) confirmed in a press release that Gamma International is selling surveillance technology to regimes with horrific human rights records without a proper license. The software being sold is powerful enough to intercept text messages, phone and Skype calls, remotely turn on cameras and microphones, log keystrokes and copy files, The Guardian reported
DoJ wants to indict state-sponsored hackers. What is the real purpose? (Security Affairs) The last couple of years has been characterized by the raise of state-sponsored cyber attacks, governments have increased cyber capabilities to defend their critical infrastructures from offensive originated in the cyberspace but they also improved tactics to offend and spy on foreign government networks. Governments and private business of countries such as US, Japan and UK have been constantly hit by cyber attacks for sabotage or cyber espionage, for this reason the US Department of Justice has decided to take the field persecuting criminals. Destroying an American computer system or stealing data from a defense contractor may be considered an offense and therefore punishable by law enforcement despite it set in the cyber space
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
tmforum Big Data Analytics Summit (Amsterdam, Netherlands, Jan 29 - 30, 2012) Bringing together leading service providers, market analysts and all of the big names in Big Data, this forward-looking, education-packed two-day Summit combines keynote perspectives, case studies, debates, panels, interactive sessions and networking opportunities that maximize every participant's opportunity to network and generate ideas that can be implemented immediately.
ATMiA US Conference 2013 (Scottsdale, Arizona, US, Feb 19 - 21, 2013) A conference devoted to the design of ATMs, and the future of the ATM industry.
#BSidesBOS (Cambridge, Massachusetts, USA, Feb 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening..
TechMentor Orlando 2013 (Orland, Florida, USA, Mar 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow IT professionals, you will receive immediately usable education that will keep you relevant in the workforce. TechMentor track topics include:Windows PowerShell and AutomationCisco and Networking Infrastructure Windows Server Management Windows Client Management Cloud and Virtualization Identity, Access Management and Security Performance Tuning and Troubleshooting Mobility and BYOD Messaging and Collaboration.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
IT Security Entrepreneurs' Forum (ITSEF 2013) (Palo Alto, California, USA, Mar 19 - 20, 2013) Supported by the U.S. Department of Homeland Security, Office of Science and Technology, ITSEF 2013 aims to connect the ecosystem of the entrepreneur: industry, government, and academia. The conference will advance innovation, lead change and build trusted global collaboration models between the public and private sectors to defeat Cybersecurity threats.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
Cloud Connect Silicon Valley (Santa Clara, California, USA, Apr 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry experts.
InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, Apr 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.